FTP Buffer Overflows

04/17/2001

Welcome to Security Alerts, an overview of recent Unix and open-source
security advisories. In this column, we look at buffer overflows in
many FTP daemons, Oracle Application Server, Solaris ipcs, Solaris
Xsun, and a whole list of programs in SCO OpenServers; temporary file
race conditions in pine and pico; format string bugs in HylaFAX and
cfingerd; a bug that allows Netscape to execute JavaScript placed in a GIF comment; and
problems in Midnight Commander, mkpasswd, Alcatel ADSL-Ethernet
Bridges, and Interscan VirusWall.

Many FTP daemons are vulnerable to a buffer overflow attack when
executing FTP commands such as CWD, DELE, MKD, and STOU that use the
glob() function call. Systems that are vulnerable to this type of attack include: FreeBSD 4.2, OpenBSD 2.8, NetBSD 1.5, IRIX 6.5.x, HPUX
11, Solaris 2.6, Solaris 7, and Solaris 8.

It has been reported that
NcFTPd and vsftpd are not vulnerable to this attack. It is not clear
which daemons have a remotely exploitable condition and which have
only a denial-of-service vulnerability.

The pine email package, including the pico editor, does not properly
create temporary files. A race condition in the creation of these
temporary files can be used by a malicious user to overwrite arbitrary
files on the system with the permissions of the user executing pine or
pico.

This race condition has been fixed in pine 4.33 and it is recommended
that users of pine upgrade as soon as possible.

Under some circumstances, Netscape can be made to execute JavaScript
code embedded inside a GIF comment. A remote attacker may be able to
exploit this bug and obtain data stored on the local machine. This
problem affects Netscape version 4.76.

Midnight Commander is a Ncurses console-based file manager for Unix
systems. A vulnerability has been discovered that can be exploited by
a malicious user to execute arbitrary commands as the user running
Midnight Commander. The attacker exploits the vulnerability by
creating directories with carefully crafted names that are then parsed
by Midnight Commander as it traverses these directories.

Anyone using Midnight Commander should upgrade to version 4.5.51 or
newer as soon as possible.

The expect script mkpasswd shipped with Red Hat Linux versions 6.2 and 7 generates a small total number of potential passwords. The small
number of potential passwords introduces a vulnerability that can be
used by an attacker to minimize the time necessary to find user
passwords using a dictionary-based password-cracking program.

Users of Red Hat Linux versions 6.2 or 7 should check the Red Hat Web site for updated versions, and should manually select their passwords until mkpasswd has
been fixed.